I have lots of my web sites behind CloudFlare – which is nice because I get free auto-updated SSL certs and all the other benefits of CloudFlare.
But in case I want to bypass CloudFlare, I like to keep a solid SSL cert on the original server. So I logged in and ran a:
sudo certbot renew --dry-run
And got this error message:
Attempting to renew cert from /etc/letsencrypt/renewal/www.tsugi.org.conf produced an unexpected error: Failed authorization procedure. www.tsugi.org (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure. Skipping.
The solution was to log in to CloudFlare and reconfigure my tsugi.org to temporarily bypass the proxy and then re-run:
sudo certbot renew --dry-run
Then the renewal worked just fine and afterwards – I restored Cloudflare as my proxy.
Of course you might need a few minutes whilst the DNS changes propagate.